Cybercriminal Behaviour | Industry of Anonymity

August 5, 2015

All’s Fair in Love and War?

As someone who studies trust among cybercriminals, I often field queries from the curious about what factors disrupt cooperation among online criminals. Until a recent visit to Eastern Europe, one element I hadn’t considered was the significant role that political animosity might play in damaging relationships. My visit to the region made clear that the war in eastern Ukraine is leading to a number of unexpected consequences in the cybercrime sphere, sowing the seeds of distrust among certain players in the Russian-speaking “scene”.

This was an issue raised by a number of local researchers I met with, who go “undercover” and monitor the key Russian-speaking marketplaces. In the past, most Eastern European actors rarely expressed their political views. But recent events have seen a shift. With the conflict simmering on the ground, a number of “flame wars” have developed online, between those broadly in support of Russia and those against it. This has damaged cooperation and led to the breakdown of some long-term and trusting partnerships. Some forums have even had to bring in and enforce rules against political discussion. Max Goncharov’s new report on the Russian underground suggests similar developments as a result of the Ukrainian conflict: fights between forum members with some even being banned or retreating into exile.

In order to understand the significance of these developments, it is important to note that the Russian underground is not actually Russian. It is merely Russian-speaking. While Russian nationals play a key role, and some may have a sense of centrality or superiority, cybercriminals from countries like Ukraine, Belarus and the Baltic States have played an important role in the business since the early days. Russian provided a common tongue and operating in a Russian-speaking online community opened up a much larger market for cybercriminals in the region. In self-preservation terms, the use of Russian also helped shield each participant’s nationality from local authorities or other criminals taking an interest in them.

A fundamental norm also quickly developed: don’t seek targets in the former Soviet Bloc. Part of this norm can be explained ideologically, stemming from Soviet era propaganda, in that wealthy “bourgeois” foreigners made more deserving targets than economically struggling “comrades” in Eastern Europe. There is also a practical explanation of not wanting to draw the wrath of local law enforcement and security agencies, especially when well insulated against foreign investigations. As Police Dog, one of the well-known CarderPlanet era cybercriminals, wrote: “If we didn’t make a mess on our own doorstep then our local cops and intelligence services didn’t have a problem with us”.

While these explanations have their place, there is almost certainly an economic component involved here as well. In the 1990s and early 2000s, some low-level scams seem to have targeted locals due to the ease of monetisation, avoiding the complications of moving money across borders. But as the West began to rapidly develop the Internet, comparatively wealthy victims and their data became available to those with the right skill sets. It was much more lucrative for Russian-speaking cybercriminals to invest their time and efforts in this new area, especially when Eastern Europeans were less likely to be using credit cards, online banking or purchasing products online and companies in the region were not adopting new technologies to the same degree as those in the West. Locals in former communist countries generally had far less money to steal in the first place, so it seemed only logical to focus attacks overseas.

But change is afoot: there is no longer a dearth of targets in the former Soviet Bloc. The widespread use of the Internet and other new technologies has taken hold in Eastern Europe. New wealth is also emerging. There is money to be made by cybercriminals seeking targets closer to home and there is no doubt that some have been taking advantage of the new opportunities. One Ukrainian researcher suggested that for the last few years Russian-speaking cybercriminals have begun to work “quietly” within their own part of the globe. Of course, there was a loud bang when those behind the Carberp malware began to target online bank accounts in the region, subsequently leading to a number of arrests. This case led to more open talk on forums about Eastern European targets, but many still operate cautiously.

The question now becomes whether recent geopolitical events will lead to the complete dismantling of the norm against carrying out attacks in the former Soviet Bloc. As tensions in the region continue, will the Russian-speaking cybercriminal community become increasingly disjointed and frayed? There is no doubt that politically motivated cyber attacks, whether state directed or not, have increased since the outbreak of war. Local security professionals that have spent much of their careers handling profit-driven cases are now having to shift some of their attention towards cyber espionage, sabotage, activism and terrorism. But some cybercriminals may also harness this opportunity to profit from citizens and institutions in “enemy” countries in the region, using this new political context as cover for their actions, just as the old Soviet propaganda could be used to justify targeting those in the West. Such actions are also likely to bring little heat from national law enforcement when the target is a (newly) unfriendly state’s citizens. Meanwhile, other cybercriminals might care little about politics and simply focus on business, being happy to collaborate with anyone and target any country in the region, as long as there is money to be made.

While norms can seem entrenched, the work of social scientists like Gerry Mackie suggests that if a convention ends, it does so quickly. The inherent nature of a norm is that it is widely agreed upon and applied by interdependent actors. As soon as a tipping point of dissatisfaction is reached, a norm can become unsustainable and almost immediately dissolve. Only time will tell whether the prohibition against targeting former Soviet countries will face this same swift fate.

November 11, 2013

Call Me i$Hm@eL

For cybercriminals, everything hangs on a nickname.

At the peak of his career in the late-2000s, a mysterious online figure from Eastern Europe attained the position of administrator of DarkMarket. He had climbed to the highest rung of one of the most significant cybercriminal forums—where stolen credit-card data and other illicit goods and services are traded—in history. But before he could do all that, he had to choose a nickname.

For Pavel Kaminski, the reputed Warsaw-based spammer, getting his nickname right was the first step into one of the most elite circles of online criminality. His choice: an homage to a Teenage Mutant Ninja Turtles character, the rat sensei Master Splinter. But Kaminski customized the spelling to exude a certain “hackerish” quality. The handle, Master Splyntr, had no particular significance for its creator; but there was thought and strategy in its invention. In fact, for Keith Mularski, the real person behind Pavel Kaminski, there had to be.

Not only was Master Splyntr a creation; so too was the Polish spammer. Mularski was an FBI agent who had fabricated this cover with help from the spam-fighting organization Spamhaus. The agent was not working out of Warsaw but the offices of the National Cyber-Forensics and Training Alliance, in Pittsburgh. It amused Mularski that he had turned to an underground rat for his nickname. With the rat’s help, soon DarkMarket would be down, and major global cybercriminals would be in jail.

IN CYBERCRIME, IT IS difficult for criminals to establish bona fides. They can’t rely on their reputation in the neighborhood, or chest-pounding prowess. They have to build a virtual identity. In this, as one FBI agent who has spent time undercover online told me, a good nickname is “basically all that you have.”

The key to cybercriminal nicknames is less in the specific choice—the actual name hardly matters—than in the intricate function that they play. An effective handle provides anonymity, and can’t be easily used to identify the cybercriminal behind the name. This is the feature that allows users to advertise their criminality openly online. But a nickname is also the foundation of a cybercriminal’s reputation—of what amounts to a trusted brand. Without it they have no presence online. They’re just a newbie—a “noob.”

On the dark Web, it’s difficult to know who you are really talking to: maybe a Polish spammer or an FBI agent in Pittsburgh. Take the elite hacker Max Butler, aka Max Ray Vision. By the end of his dark digital career, he had accumulated at least five cyber identities: Ghost23, Generous, Iceman, Digits, and finally Aphex. Ghosts are a common trope online, but names Generous and Digits, used by Butler when vending stolen credit-card data, implied attractive profits for customers.

As Wired editor Kevin Poulsen explained in his biography of Butler, Kingpin, Butler took on the handle of Iceman when he established the forum CardersMarket—which would become a rival to DarkMarket. He chose Iceman specifically because it wasn’t unique: There were other Icemen floating around the dark Web. Butler thought that if he ever attracted heat from law enforcement, the multiplicity might thwart efforts to identify him. He further spread his risk by keeping his vendor identity, Digits, separate from his administrator identity, Iceman—in case one or the other was “apprehended.” Ultimately, a damaged reputation was what led to Iceman’s demise: He had started a cyberturf war with other carding forums, attracted media attention, and (ironically) made unproven accusations that the honorable Master Splyntr was a fed. So Butler retired Iceman, and up stepped Aphex as the “new” boss of CardersMarket.

Butler and Mularski both put some strategy into their handles. But one former American hacker told me handles are often simply what “sounds cool,” at the time. Veteran carder and film buff David Thomas used the online nickname El Mariachi as a tribute to the Robert Rodriguez film; Robert Schifreen, who hobby-hacked before it was illegal, in 1980s Britain, went by the name Triludan the Warrior, a reference to the antihistamine medication he used.

TO BUILD A TRUSTED brand, there is an incentive to maintain the same nickname over time, but that increases the risk of being caught. Cybercriminals have to carefully balance these competing interests.

One British identity thief I talked with tweaked his handle up to 20 times over his career—but maintained an identifiable (to the right people) strain throughout. The undercover FBI agent knows of Russian cybercriminals who replaced their nicknames every three months. But even these guarded types must subtly alert select collaborators to their new identity, or face starting from scratch.

Then there are those that value reputation over risk, like the hacker and former spammer I met with in Southeast Asia: He has used the same handle, chosen at random from the dictionary, since he was a teenager, through his forays into crime, and even after going straight. “I mean, I’ve got a reputation, I’ve got friends—people trust me,” he explained. Giving it up, he said, would be akin to relinquishing his identity in the physical world and starting again. Today, he works as what is called a penetration tester, a legal hacker of sorts, hired to find holes in a client’s system before a real attacker does. Some clients have discovered his past, and his long-established online reputation. But they seem pleased. They figure it means he’s more effective at his job.

This article was originally published in the Nov/Dec 2013 edition of Pacific Standard.

June 11, 2013

Honour Among Cyberthieves

Most people would not look to active criminals when seeking out an honourable and trustworthy person to do business with. It is assumed that those who deal in theft, deceit and sometimes violence do not make good partners. Yet for the criminals themselves, they have little choice. They must build working relationships with other criminals to carry out their enterprises and to trade in illegal goods and services. Along with a good reputation, one of the most useful tools conventional criminals have for building trust with other criminals is the option of physical enforcement. If a partner steps out of line, they get “paid a visit”.

But cybercriminals do not have things as easy. How do cybercriminals build trust online when they often don’t even know who they are dealing with? How do they trade goods and services when their partners could potentially scam them without fear of violent retribution? These are the complex questions facing cybercriminals online, in an environment where anonymity is as much a cost as it is a benefit.

In a previous post, I discussed how cybercriminals require ways of “spotting the fed” in the online meeting places where illicit business is done. I argued that, without knowing it, cybercriminals try to unmask undercover agents by looking for what sociologists and others call “discriminatory signals”, statements and actions that are very costly to fake. And I noted the well-known example of a discriminatory signal of the suspected poisoner proving his innocence by drinking the “poison”. A real poisoner would be unlikely to take the drink, knowing death would follow.

In practice, cybercriminals use similar signaling mechanisms for trying to differentiate a trustworthy partner from a possible “ripper”. First, they might just ask for a display of trustworthiness. This could be some sort of smaller exchange that, if performed well, could lead to a larger deal. In the case of money mules, who help transfer ill-gotten gains around the world, this would be the movement of a small sum of money at first, but followed by incremental increases in the amount the mule is trusted with as they demonstrate they are worthy over time. Of course, sometimes there is no honour among thieves, and the mules simply run off with the money. But in a surprising number of cases, they stick around, probably recognizing that they have more to gain in the long run by establishing trust with a regular customer (or building a reputation in a community), than cheating them in a specific instance.

Yet building trust through such practices is still inherently risky, particularly in the early exchanges. As a result, cybercriminals often use other tools to reinforce cooperation as well. They are quite fond of referrals, regularly vouching for each other, whether for general purposes or for joining specific groups/forums or criminal enterprises. They may also “dox” each other, drawing up another user’s online footprint, and decide for themselves whether the trail of interactions suggests a trustworthy partner or not. But it is also a world full of ego and demonstrations of prowess can often be important for showing trustworthiness in terms of ability, as much as ethics. One way of demonstrating prowess, particularly with regard to other less experienced/competent users, is to post some form of tutorial on the appropriate part of a forum.

The cybercriminal trading forums themselves formalise some of these mechanisms used by cybercriminals to buttress trust. Certain forums have ranks of members based on their trustworthiness (such as the imaginatively titled “Trusted Member”). Promotion to these ranks is usually down to a good track record and being vouched for by other forum members. Forums also often maintain a “name and shame” section where scammers can be outed. These systems put reputations out into the open, thereby reducing the need for potential collaborators to carry out various investigations themselves or require references.

Cybercriminal trust mechanisms are surprisingly effective at weeding out scammers and posers. They make good tests of trustworthiness because they often have a public component and/or are verifiable: referrals can be easily checked with the referee; it is very difficult to mimic a communication trail left on the web; displays of prowess are publicly posted and therefore open to critique and ridicule; good and bad reputations are widely advertised on forums. While “ripping” certainly occurs quite regularly, there appears to be some degree of honour even among cyberthieves. In fact, one former spammer who now works as a security professional told me that he was never scammed during his spamming career: “I’ve been ripped off more times by corporates and commercials, companies I am working for legitimately with a f***ing contract, than I have by people that you would consider to be scum of the earth”.

Read more about honour among cyberthieves in “Trust in the World of Cybercrime”.